🚨 BREAKING

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-88
OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-45158, has been identified in OPNsense, a FreeBSD-based firewall and routing platform. The National Vulnerability Database reports that versions prior to 26.1.8 are susceptible. This flaw stems from unsanitized user input in the DHCP configuration, which a shell script then processes, enabling an attacker to execute arbitrary code as root on the underlying operating system.

This isn’t just a bug; it’s a direct path to full system compromise on a critical network appliance. The CVSS score of 9.1 (CRITICAL) underscores the severity. An attacker with privileged access to manipulate DHCP configurations could leverage this to gain root on the firewall itself, turning a perimeter defense into an initial access vector for deeper network penetration. It’s a prime target for lateral movement and privilege escalation.

Defenders must prioritize patching. Leaving a critical RCE on your firewall unaddressed is an open invitation for adversaries. This isn’t theoretical; it’s a known attack path. Assume your perimeter is being probed and act accordingly.

What This Means For You

  • If your organization uses OPNsense, you need to immediately verify your version. Patch to 26.1.8 or later to mitigate CVE-2026-45158. An unpatched OPNsense firewall is a critical risk, providing a direct route to root-level compromise of your network's perimeter.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1218.005 Signed Binary Proxy Execution: Msiexec Defense Evasion

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

OPNsense RCE via DHCP Input - CVE-2026-45158

Sigma YAML — free preview 
title: OPNsense RCE via DHCP Input - CVE-2026-45158
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the dhclient process with command line arguments indicative of a shell command injection vulnerability (CVE-2026-45158). This specific pattern looks for the use of 'sh -c', 'echo', 'base64 -d', and 'eval' within the dhclient command line, which is characteristic of the exploit leveraging unsanitized DHCP input to achieve remote code execution as root.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45158/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - '/usr/libexec/dhclient'
      CommandLine|contains:
          - 'sh -c'
      CommandLine|contains:
          - 'echo'
      CommandLine|contains:
          - 'base64 -d'
      CommandLine|contains:
          - 'eval'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45158 RCE OPNsense firewall and routing platform
CVE-2026-45158 RCE OPNsense versions prior to 26.1.8
CVE-2026-45158 RCE Unsanitized user input in DHCP configuration
CVE-2026-45158 Command Injection Shell script processing DHCP configuration

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Hoppscotch CVE-2026-44478: Unauthenticated Infrastructure Secret Leak

CVE-2026-44478 — hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking...

vulnerabilityCVEhigh-severitycwe-284cwe-287
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack

CVE-2026-44471 — gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out...

vulnerabilityCVEhigh-severitycwe-59
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs /⚙ 3 Sigma

ERPNext SQL Injection (CVE-2026-44447) Exposes Sensitive Data

CVE-2026-44447 — ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma